Re: VPN Traffic and PORTS

lasani · ‎11-12-2005

I have blocked all outbound traffic to Internet in the PIX firewall except web(port80). One user needs to connect his laptop in our network that has Cisco VPN client and wants to connect some remote network(not ours).

I would like to know which ports to open in my firewall to allow VPN traffic?

Is there any security issue?

jackko · ‎11-12-2005

add these protocols/ports to the existing outbound acl.

udp 500

udp 4500

esp

i guess the security risk is that once the vpn tunnel is fully established, the laptop could be compromised from the remote network as normally vpn allows all traffic. assuming the laptop is compromised, your private net may also be at risk since this particular laptop has full access to your private net.

to prevent this, make sure the laptop has all the patches including anti-virus signiture. also, verify with the remote network regarding the security level.

m.sir · ‎11-12-2005

UDP port 500

access-list in_out permit udp any any eq 500

IP protocol 50 (ESP)

access-list in_out permit esp any any

NAT traversal could also help when VPN client is not working

isakmp nat traversal

sfanayei · ‎11-23-2005

Hi dear,

I am running pix vers. 6.3.3 and the remote system to connect is Cisco vpn 3000.I have enabled NAT Transversal both in client software and my pix, but it is still not working. I have testet with these commands "sysopt connection permit-ipsec"

and "isakmp nat-traversal [natkeepalive]".

Bedst regards

Sfanayei

dpatel · ‎11-30-2005

Can you make sure that Cisco VPN Clinet is not configure for IP Sec over TCP?